Regulators are enforcing patient access and security expectations more aggressively, even as long-awaited rule updates remain unresolved.
Federal regulators are entering 2026 with major HIPAA rule updates still unfinished, while enforcement activity reflects expectations that go beyond the existing regulatory text. The Department of Health and Human Services has not finalized proposed updates to the HIPAA Privacy Rule, first introduced in December 2020, nor a separate proposal to modernize the HIPAA Security Rule released in January 2025. Despite that regulatory uncertainty, enforcement signals from the Office for Civil Rights indicate continued scrutiny of patient access practices, information blocking complaints, and security safeguards tied to electronic health information. Healthcare organizations are now facing real consequences under existing HIPAA authorities, even as the rules themselves remain in flux.
HIPAA’s core structure has remained largely unchanged since the Omnibus Final Rule in 2013, but enforcement expectations have continued to change alongside healthcare digitization and increasing cyber risk. Recent OCR activity shows regulators relying on existing Privacy and Security Rule provisions to address issues that were meant to be clarified or expanded through proposed updates. Patient access remains a primary enforcement area, with delays, improper fees, and incomplete responses drawing attention regardless of whether proposed timelines or fee limits have been finalized. On the security side, OCR investigations and resolution agreements reference modern risk management concepts such as access controls, system monitoring, and incident preparedness, even though the proposed Security Rule overhaul has not been adopted. As a result, organizations are being held to standards that resemble the proposed rules in practice, if not in name.
Legal and compliance advisors have warned that waiting for final HIPAA rules carries a growing risk. Regulators have consistently indicated that enforcement will focus on real-world barriers to patient access, technical or contractual restrictions on data sharing, and security failures that expose electronic health information. While HIPAA’s privacy and security exceptions remain available, OCR has signaled that those exceptions must be narrowly applied and supported by clear documentation. Observers have also noted that regulators may continue to rely on guidance, enforcement actions, and corrective action plans to clarify expectations in areas such as care coordination and interoperability, rather than delaying action until formal rulemaking is complete.
Regulatory pressure is also building around unfinished but already enforceable compliance obligations. Legal guidance confirms that covered entities and health plans must update their HIPAA Notice of Privacy Practices by February 16, 2026, to reflect the new protections for substance use disorder records under 42 CFR Part 2. Unlike earlier Part 2 rules, enforcement authority now sits with the HHS Office for Civil Rights, giving regulators the ability to pursue civil penalties, corrective action plans, and audits for noncompliance. Advisors have warned that organizations waiting for additional HIPAA rulemaking risk falling behind, as OCR has made clear that policy alignment, documentation, and notice updates are expected ahead of the deadline, not after it.
Industry resistance has intensified as enforcement expectations continue to rise. On December 8, 2025, a coalition of healthcare organizations wrote a letter to HHS Secretary Robert F. Kennedy Jr., urging the agency to pause the proposed Security Rule overhaul. The coalition cited concerns about financial strain, staffing shortages, and the operational burden of prescriptive cybersecurity mandates. While acknowledging that cybersecurity directly affects patient safety, the groups argued that enforcing modern security expectations without finalized rules creates uncertainty and risks diverting limited resources away from care delivery. The letter reflects a broader concern that enforcement momentum is outpacing regulatory clarity, leaving providers to interpret changing expectations with limited formal guidance.
Regulators can enforce existing HIPAA requirements using updated interpretations, guidance, and enforcement discretion, even when proposed rules remain unfinished.
No. Proposed rules do not carry legal force, but enforcement actions often reflect the direction regulators intend to take.
Patient access delays, information blocking complaints, improper fee practices, and security weaknesses affecting electronic health information.
Yes, but regulators expect consistent application, documented risk assessments, and clear internal justification.
Healthcare organizations should review access workflows, vendor and contract language, cybersecurity controls, and staff training to ensure alignment with current enforcement expectations rather than waiting for finalized rule text.